Please help with elapsed plugin and timestap difference

fabryx87 · December 4, 2020, 8:35am

Hello everyone and thanks for this great Forum!

I would need a hand with elastic, I have to make a difference between 2 timestamps that have the logonid in common, but different event.action.
unfortunately I don't even know where to start, in ELK I'm following some trainings right now.
To recap what I am trying to do: I am trying to get the difference between 2 timestamps for windows logon and logoff.
I am using winlog.event_data.TargetLogonId to track the session,
event.action tell me if it a logon or a logoff.
and winlog.event_data.TargetUserName.keyword tell me the username.
this is a script I found online and readjusted using the plugin elapsed:

    if [event.action] == "logon" {
    mutate { add_tag => ["taskStarted"] }
    } else if [event.action] == "logoff" {
    mutate { add_tag => ["taskTerminated"] }
    }
    elapsed {
    start_tag => "taskStarted"
    end_tag => "taskTerminated"
    unique_id_field => "winlog.event_data.TargetLogonId"
    timeout => 10000
    new_event_on_match => false
    add_field => "winlog.event_data.EventDuration"
    }

can you please help me?
the result is to have the duration of a login session.

thanks to everyone will help me

Christian_Dahlqvist · December 8, 2020, 6:44am

Doing this kind of processing in Logstash introduces a series of severe limitations in that all data had to pass through the same Logstash instance, be processed by a single thread assuming Logstash does not restart and lose state. This may work for very small use cases but scale badly.

I would therefore recommend you look at the transform API and try to use this to create a new index containing a single entity-centric document per session which you can update as data comes into Elasticsearch. With this solution you do not need to throttle your ingest processing and are likely to see much better performance.

fabryx87 · December 9, 2020, 10:28am

Hi Christian,

Thanks for your reply and help.
do you have a tutorial that can help me on it?

thanks
Fabrizio

system · January 6, 2021, 10:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to calculate the timestamp difference between two actions? Kibana	4	5115	July 6, 2018
Elasticsearch filter plugin and winlogbeat Logstash	2	207	June 25, 2021
Elapsed Time Filter for calculating session Duration (elapsed_time is very big) Logstash	7	2725	July 6, 2017
[SOLVED] Measuring duration without using elapsed Logstash	3	865	December 28, 2016
Calculating elapsed time using scripted fields or Kibana Kibana	3	720	March 2, 2019

Please help with elapsed plugin and timestap difference

Related topics